[00:02.080 --> 00:06.200]  Yes, okay. Thank you for the kind introduction, John.
[00:06.240 --> 00:09.800]  Hello, DEF CON crowd, Car Hacking Village crowd,
[00:09.800 --> 00:14.000]  anyone after the fact, if you happen to be watching this sometime in the future.
[00:14.120 --> 00:19.120]  My name is Kamel. Today I'm going to be talking to you guys about Bluetooth in automotive.
[00:19.500 --> 00:22.760]  So, quick introduction for myself.
[00:22.760 --> 00:25.880]  This is just to make sure you believe that I'm, you know,
[00:25.880 --> 00:28.640]  qualified to be talking about the things I'm speaking about.
[00:28.640 --> 00:32.780]  So, I'm an automotive cybersecurity technology architect at WhiteMotion.
[00:32.780 --> 00:38.000]  WhiteMotion is a little-known, is a very small subsidiary of Morelli,
[00:38.000 --> 00:41.700]  the former Italian automotive OEM Magneti Morelli.
[00:41.700 --> 00:47.460]  They merged with a Japanese automotive supplier called CalSonic Kansai a few years ago.
[00:47.460 --> 00:51.420]  And since at the time, WhiteMotion was a subsidiary of CalSonic Kansai,
[00:51.420 --> 00:54.020]  we're now fully owned by Morelli Corporation.
[00:54.020 --> 00:56.800]  I'm based in Tokyo in Japan. I'm trilingual.
[00:56.800 --> 00:58.980]  I speak English, Arabic, and Japanese.
[00:58.980 --> 01:03.200]  I've been involved in the automotive cybersecurity industry for about three years now.
[01:03.540 --> 01:08.040]  I've been on all sides of the table, including, you know, private consultant,
[01:08.500 --> 01:12.180]  you know, trainer, red team, blue teamer, so on and so forth.
[01:12.180 --> 01:15.460]  I've kind of, I've worn a lot of hats in the last few years because
[01:15.940 --> 01:20.060]  auto cyber is a very new and, you know, expanding field and no one's, you know,
[01:20.060 --> 01:23.100]  job is as well-defined as they might like to think it is.
[01:23.100 --> 01:27.180]  I got involved in the community side of things a while back.
[01:27.180 --> 01:32.480]  I was a big, I was an administrator on the ASRG board in Detroit,
[01:32.480 --> 01:37.060]  and I started the ASRG chapter here in Japan.
[01:37.060 --> 01:40.200]  ASRG, by the way, stands for Automotive Security Research Group.
[01:40.200 --> 01:45.760]  It's a group that is, I believe we're sponsoring the Car Hacking 101 this year at DEF CON.
[01:45.760 --> 01:49.060]  So we're kind of managing things through that.
[01:49.060 --> 01:54.900]  But yeah, it's a group dedicated to sharing automotive security resources
[01:54.900 --> 01:58.220]  and information and helping, you know, expand awareness for the industry
[01:58.220 --> 02:03.300]  and help grow it as not only an industry for work and stuff, but also as a community.
[02:03.840 --> 02:07.460]  So I consider myself a jack of some trades and a master of none.
[02:07.460 --> 02:12.360]  I'm not especially good at anything that I do, I like to think, but I have a lot of interests.
[02:12.360 --> 02:14.860]  So lately I've been doing a lot of Bluetooth stuff.
[02:14.860 --> 02:18.320]  Bluetooth has kind of become my pet project, right?
[02:18.320 --> 02:24.320]  Studying Bluetooth vulnerabilities and techniques for car hacking as it relates to what I do at work,
[02:24.320 --> 02:28.180]  as well as things like RF, digital forensics and USB.
[02:28.180 --> 02:31.960]  My other hobbies are listed down there and, you know, they're not incredibly interesting.
[02:32.020 --> 02:37.440]  But the picture in the background, you might be able to see this is me.
[02:37.440 --> 02:42.400]  And this was my team for the 2019 Car Hacking Village CTF.
[02:42.400 --> 02:47.640]  So my team actually came in first place, we're Team Canucks, we're the best and no one is better than us.
[02:47.720 --> 02:52.280]  And I think it's just worth saying, right, just more for the qualification.
[02:52.460 --> 02:57.260]  But anyway, enough about me, enough of that boring stuff, let's get into the actual presentation.
[02:57.540 --> 02:59.120]  So what is Bluetooth?
[02:59.740 --> 03:03.100]  Bluetooth is a very common cable replacement technology.
[03:03.100 --> 03:06.880]  It's found in virtually all smartphones, all computers.
[03:06.880 --> 03:14.820]  And a lot of the wireless IoT devices worldwide use Bluetooth as their main mode of transportation.
[03:14.840 --> 03:16.620]  Communication, right?
[03:16.740 --> 03:23.240]  It operates in the 2.4 gigahertz frequency range, which is the same as some of the Wi-Fi standards, right?
[03:23.240 --> 03:24.800]  The 802.11 standards.
[03:24.800 --> 03:30.760]  And as a result, there's a lot of Wi-Fi chips that are bundled together with like a Bluetooth chip, right?
[03:30.760 --> 03:34.040]  So some manufacturers that make both Wi-Fi and Bluetooth hardware,
[03:34.040 --> 03:41.780]  they'll actually bundle those together because they're pretty similar from a physical frequency perspective, right?
[03:42.660 --> 03:49.980]  Some of the more unique things about Bluetooth compared to Wi-Fi, though, is that it utilizes something called frequency hopping,
[03:49.980 --> 03:52.120]  which makes it harder to monitor, right?
[03:52.120 --> 04:00.240]  Which is something I'll talk a little bit more about when we get to why Bluetooth is such a hard technology to research from a security standpoint, right?
[04:00.240 --> 04:07.620]  But I'm sure that at this point, you know, for most of you, Bluetooth is something you talk about in your everyday life, right?
[04:07.620 --> 04:10.520]  Like if you're using AirPods, they're using Bluetooth, right?
[04:10.520 --> 04:17.600]  If you connect your phone to your car stereo system, which, by the way, we'll be talking about, you're using Bluetooth, right?
[04:17.660 --> 04:23.580]  So in automotive, Bluetooth is mostly used for, well, exactly what I mentioned earlier, right?
[04:23.580 --> 04:28.760]  Connecting to your vehicle's stereo system, sharing your phone book with your car, right?
[04:28.760 --> 04:33.620]  That's a source of confidential information, which is, of course, of interest from a security perspective.
[04:33.820 --> 04:41.520]  But the main task delegated to Bluetooth is not, you know, a very high-impact one.
[04:41.520 --> 04:45.600]  It's mostly just controlling your music, you know, hands-free phone calls, etc.
[04:46.100 --> 04:52.300]  And, you know, things like your phone book access so that you can actually see who's calling you when you're on the road and you receive a text message.
[04:52.300 --> 04:55.600]  You know, some cars will actually support text message integration, too, right?
[04:55.600 --> 04:59.620]  So this is the basic use case for Bluetooth in automotive, right?
[04:59.620 --> 05:08.200]  And this is probably common sense to a lot of you, but what might be less common sense is how the Bluetooth protocol is actually organized.
[05:08.220 --> 05:12.560]  So I said Bluetooth protocol, but Bluetooth itself is actually a specification.
[05:12.560 --> 05:19.920]  It's not one specific technology. It is a set of specifications maintained by a company, or rather, it's a group.
[05:19.920 --> 05:23.540]  It's a group of companies called the Bluetooth Special Interest Group, right?
[05:23.540 --> 05:36.980]  They manage the specification for Bluetooth, they publish the standard, and they kind of monitor how it's performing, you know, make updates to it whenever a new version of the technology comes out.
[05:36.980 --> 05:48.420]  But at the end of the day, it's up to each individual manufacturer to actually implement the Bluetooth, you know, stack on their hardware however they like, right?
[05:48.420 --> 05:54.080]  And so this is where we get to the big divide in the different protocols that make up Bluetooth, right?
[05:54.080 --> 06:00.540]  So you can see on the screen here, I have the different protocols that make up Bluetooth split into a couple of categories.
[06:00.540 --> 06:07.900]  We have the blue ones up here, the RFComm, right? Radio Frequency Communication, SDP, Service Discovery Protocol, L2Cap.
[06:07.900 --> 06:16.940]  This is logical something. I don't remember what this stands for exactly, but it's one of the higher layer protocols, right?
[06:16.940 --> 06:25.360]  And then down here, you have the ones in red, right? This is Device Manager, Link Manager, Baseband Resource Manager, Link Controller, and the PHY, right?
[06:25.360 --> 06:30.920]  And then in the middle, you have the Host Controller Interface, right? Which begs the question, what does that mean, Host Controller Interface?
[06:30.920 --> 06:37.080]  Well, I made this box here purple for a reason, right? So the ones on the top, they're blue, right?
[06:37.080 --> 06:44.840]  These are controlled by the host, right? Your operating system. Your operating system will have its own Bluetooth stack.
[06:44.840 --> 06:48.600]  And according to that Bluetooth stack, it operates in a certain way, right?
[06:48.600 --> 06:56.040]  So for those of you who are familiar with Linux, BlueZ is one of the more common Bluetooth stacks running on most Linux distributions.
[06:56.240 --> 07:00.840]  And it's made specifically for Linux, right?
[07:00.840 --> 07:04.860]  But then the controller side, right? We have Host Controller Interface.
[07:04.860 --> 07:14.080]  So the reason this whole architecture exists is because it makes it easier to interface with different hardware from the actual hardware manufacturers, right?
[07:14.080 --> 07:19.860]  Because they kind of abstract away everything that happens down here through the Host Controller Interface,
[07:19.860 --> 07:24.860]  the host doesn't need to worry too much about what's going on down here, right?
[07:24.860 --> 07:29.080]  So these are controller side protocols, right?
[07:29.080 --> 07:36.800]  And each one of these is going to be programmed a different way based on the actual manufacturer of the hardware itself.
[07:36.800 --> 07:45.180]  And by the hardware, I'm not talking about your laptop manufacturer, I'm talking about the actual Bluetooth chip manufacturer, right?
[07:48.080 --> 07:52.560]  So going over a short history of Bluetooth security, right?
[07:52.560 --> 08:01.340]  When Bluetooth first came out in the early 2000, there were a lot of gimmicks that exploited like protocol level issues in early Bluetooth, right?
[08:01.340 --> 08:09.080]  I would call these like... I call them gimmicks because they're kind of like, okay, the first time they designed it, they decided encryption wasn't important.
[08:09.080 --> 08:13.420]  So they didn't include encryption, right? For certain things like that.
[08:13.420 --> 08:21.620]  So a lot of these were fixed in 2007, when the Bluetooth 2.1 plus extended data rate update arrived, right?
[08:21.620 --> 08:27.900]  This introduced mandatory encryption for connection based data, except for service discovery protocol.
[08:28.220 --> 08:30.700]  And it introduced secure simple pairing, right?
[08:30.700 --> 08:35.420]  So legacy pairing was the process by which Bluetooth devices connected before this.
[08:36.040 --> 08:40.540]  The only way you could pair two devices was through inputting a pin, right?
[08:40.540 --> 08:44.380]  So a four digit pin, right? So 0000 or 1234, right?
[08:44.380 --> 08:50.280]  This sounds like a good enough way to do authentication for the connection process between two trusted devices.
[08:50.280 --> 08:57.600]  But for some devices, right? Say, for example, a pair of cheap Bluetooth headphones you bought online, they don't have a user interface.
[08:57.600 --> 09:03.260]  So you can't really pick the pin that the corresponding connecting cell phone is supposed to put in, right?
[09:03.260 --> 09:08.580]  So they usually be hard coded with something like 0000 or 1234, right?
[09:08.580 --> 09:10.840]  And this was kind of a bad system.
[09:10.840 --> 09:16.320]  And so that's why they introduced secure simple pairing, which introduced a couple of more options for pairing your device.
[09:16.320 --> 09:21.580]  So now they have passkey, you know, they still have the passkey input, but then they also have numerical comparison.
[09:21.580 --> 09:29.140]  They also have out of band, right? Out of band pairing is essentially you pair through a different mechanism other than Bluetooth, right?
[09:29.140 --> 09:35.480]  So you might have like NFC or something else, another technology entirely used to do the pairing.
[09:35.480 --> 09:38.740]  But then the actual data transfer, et cetera, is done over Bluetooth.
[09:38.740 --> 09:42.000]  And there's another one called just works, which is exactly what it sounds like.
[09:42.000 --> 09:47.740]  And it needs to go, to be honest. It's essentially no authentication at all.
[09:48.320 --> 09:59.000]  But that's for things like I mentioned earlier, things like headphones that don't have a user interface or like a keyboard or monitor where you can actually do a number comparison.
[09:59.000 --> 10:04.560]  They have to have something in place to work. So they introduced just works.
[10:04.760 --> 10:09.300]  But anyway, so after that happened, right, after the introduction of secure simple pairing,
[10:09.300 --> 10:18.300]  sorry, I got a little bit sidetracked. There was a pretty long year, long period of about eight years where there wasn't a lot of research done on Bluetooth.
[10:18.300 --> 10:28.500]  Right. So mostly old gimmicks didn't work anymore. Bluetooth low energy, which came out alongside Bluetooth 4.0, started out pretty insecure and was a pretty hot topic for research.
[10:28.820 --> 10:38.020]  But eventually a lot of those got patched out. And I think nowadays, Bluetooth low energy is getting closer to traditional Bluetooth security grade.
[10:38.020 --> 10:47.640]  Right. And so. What I mean by the traditional Bluetooth security grade is after all those protocol level bugs got, you know, hammered out,
[10:47.640 --> 10:56.220]  it's not it wasn't as easy to do research of Bluetooth, because if you think about it in comparison to Wi-Fi, I made that comparison earlier because they're very physical.
[10:56.680 --> 11:03.080]  Sorry, they're very similar from the physical perspective that they both occupy the 2.4 gigahertz space.
[11:03.080 --> 11:09.160]  Bluetooth uses that frequency hopping, which makes it a little bit harder to analyze.
[11:09.160 --> 11:17.400]  You can't buy a 10, 15 dollar Bluetooth sniffer online and just monitor Bluetooth traffic going through the air.
[11:17.400 --> 11:25.900]  Right. Another thing. Sorry. So I have a couple of these listed. Right. These problems surrounding Bluetooth security research.
[11:25.900 --> 11:32.240]  Right. So one of these one of the other problems, you know, I mentioned the earlier that it's not a specific technology.
[11:32.240 --> 11:41.720]  It's a specification defined by the Bluetooth special interest group and that the implementations will vary based on the operating environments and the chip firmware implementations.
[11:41.740 --> 11:49.060]  Right. And I also talked about how the frequency hopping means so you can't actually sniff it out of the air like you can with Wi-Fi.
[11:49.060 --> 11:54.940]  There does exist equipment for that, but that's going to cost about twenty thousand dollars minimum.
[11:54.940 --> 12:01.600]  Right. Like these are very high grade, like I would say, like government, military grade equipment.
[12:01.600 --> 12:06.300]  You cannot be expected to buy this if you want to do research on Bluetooth. Right.
[12:06.780 --> 12:16.740]  So and then what I mentioned before, I'm going to go back a couple of slides and show you the breakdown of the different the different protocols. Right.
[12:17.320 --> 12:23.220]  It's not as easy to analyze the lower level protocols as it should be. Right.
[12:23.220 --> 12:30.480]  Because if we think about this here. Right. So you have your your host layer protocols, right. RFCOM, STP and L2CAP.
[12:30.800 --> 12:41.960]  And these are decently well explored and the host controller interface exists and you have the ability to log host controller interface data on all Linux and all Android platforms,
[12:41.960 --> 12:53.040]  which I'll be showing later on in the presentation. But all of these red processes, all of these red protocols are essentially a black box.
[12:53.040 --> 13:02.200]  And because they're going to be so different from manufacturer to manufacturer, you know, there's no real understanding of what's going on inside these chips. Right.
[13:02.200 --> 13:12.520]  So that's another reason why security and Bluetooth is has been kind of on the down low for, you know, for a while, up until pretty recently. Right.
[13:12.920 --> 13:19.680]  And, you know, I said the spec is very complicated. And that is a big part of it. Right.
[13:19.680 --> 13:27.160]  Because, you know, there are certain parts of the Bluetooth specification that you wouldn't you wouldn't from a security perspective,
[13:27.160 --> 13:33.540]  you wouldn't assume that somebody read this and said, yes, this is OK, and then put it into the spec.
[13:33.540 --> 13:39.360]  And then it went undetected for, you know, since the birth of Bluetooth until last year, actually. Right.
[13:39.360 --> 13:48.620]  The this scenario I'm talking about actually happened. A vulnerability was released that essentially disclosed the fact that any Bluetooth device,
[13:48.620 --> 13:56.480]  when it's pairing with another device, it has the option to negotiate the entropy of the encryption keys used for the communication.
[13:56.480 --> 14:02.620]  Right. OK, that's a sounds like a good idea from from one perspective. Right.
[14:02.620 --> 14:08.700]  You have the option to if you have hardware that only supports, say, you know, a couple of bytes of entropy,
[14:08.700 --> 14:15.160]  you can negotiate, say, OK, well, I can only support this much. So can you please lower the security of the communication?
[14:15.160 --> 14:20.480]  Right. It's a compatibility thing. But the researchers that published the vulnerability found out that the minimum,
[14:20.480 --> 14:29.100]  according to the Bluetooth specification, right, the minimum allowed entropy for this encryption was only one byte.
[14:29.100 --> 14:39.420]  So they could forcibly, by modifying the firmware of one of their devices, they could negotiate down the connection,
[14:39.420 --> 14:46.740]  you know, the encryption entropy of the connection they were making down to one byte of encryption. Right.
[14:46.740 --> 14:56.100]  And one byte of encryption, one byte of entropy for encryption, sorry, is enough to essentially brute force in real time and monitor Bluetooth communications.
[14:56.100 --> 14:59.860]  Right. If you have some some cheaper hardware, you don't need the twenty thousand dollar hardware.
[14:59.860 --> 15:07.120]  You need some slightly less expensive hardware and you can actually sniff some of the packets, some of the packets out of the air. Right.
[15:09.040 --> 15:15.020]  That vulnerability itself is pretty interesting. It's called NOB. Right. K-N-O-B. Right.
[15:15.020 --> 15:23.720]  It's an acronym for key negotiation of Bluetooth. I'm not going to go too far in detail on that one because I have a couple more things I want to talk about.
[15:23.860 --> 15:35.660]  But that is a good segue into the fact that recently there has been more of a look at Bluetooth security, especially from some labs out in Europe.
[15:35.660 --> 15:41.080]  They have been putting out a lot of great research that I'll have linked to in the end of this demonstration.
[15:41.280 --> 15:46.940]  But back to the automotive things. I'm kind of going in circles because there's a lot to talk about here.
[15:46.940 --> 15:59.160]  But coming full circle to the automotive side of things, this is a diagram from a piece of research that was published by Tencent's Keen Security Labs.
[15:59.160 --> 16:04.780]  They published this in March of 2020. So this is really cutting edge research.
[16:04.780 --> 16:18.860]  Basically, there were some unpatched Bluetooth vulnerabilities on some Toyota vehicles that were in circulation that had been made outside of Japan, I want to say as early as 2016 or 2017.
[16:19.720 --> 16:27.600]  Unpatched Blueborn led to daemon level access. For any of you that have followed Bluetooth security at all, you might have heard of Blueborn before.
[16:27.600 --> 16:40.980]  Blueborn was a series of high profile Bluetooth vulnerabilities that were released, or I guess publicized, I believe in 2017 by Armist Labs.
[16:41.080 --> 16:44.400]  That's the name of the lab that came up with these vulnerabilities.
[16:44.460 --> 16:53.920]  It was essentially the ability to remotely execute code on any device that had Bluetooth enabled, even if the device wasn't in discoverable mode.
[16:53.920 --> 17:06.300]  Discoverable mode is when you make your Bluetooth device visible for the intent of pairing with another device, you have to make it visible through discoverable mode just so that it's easier to find.
[17:06.300 --> 17:20.200]  But they essentially showed that even without having to pair with the device, without the device being in discoverable mode, they could execute code on any device running Bluetooth remotely.
[17:20.200 --> 17:36.760]  The scenario behind this disclosure that happened this year by Tekine Labs, they showed that through exploiting these unpatched vulnerabilities in these automotive head units inside these Toyota slash Lexus vehicles,
[17:36.760 --> 17:46.020]  they were able to gain daemon level remote code execution because the Bluetooth service on the main board here,
[17:46.020 --> 17:52.340]  this board here, this is a wiring, a logical diagram of the inside of that head unit.
[17:52.340 --> 17:57.640]  This main board, which is running the Bluetooth service, was running Bluetooth at a pretty high privilege.
[17:57.660 --> 18:00.040]  It was running it at a daemon level privilege.
[18:00.580 --> 18:10.140]  So from there, they were actually able to get remote code execution, escalating privileges to root and establishing a Wi-Fi backdoor was the next thing they did.
[18:10.140 --> 18:20.520]  So they made a Wi-Fi backdoor that allowed them to SSH back into it from a slightly longer range than Bluetooth allows, because Wi-Fi has a better operating range than Bluetooth does.
[18:20.740 --> 18:34.280]  And through that, they were then able to make use of this main board's position inside the head unit to actually push updates to some of the other devices inside the head unit.
[18:34.280 --> 18:43.400]  Specifically, this UConn board. This UConn board is connected to the CAN buses that the head unit itself is connected to.
[18:43.400 --> 18:53.680]  And for those of you who are coming from an automotive background and just wanted to learn a little bit about Bluetooth, you know that being connected to the CAN bus is essentially getting access to the car's nervous system.
[18:53.680 --> 19:01.840]  This is the in-vehicle, the controller area network, the in-vehicle network, along which a lot of the vehicle controls happen.
[19:01.840 --> 19:10.420]  So long story short, I could talk about this particular bit of research for about an hour on its own.
[19:10.420 --> 19:20.120]  But long story short, Bluetooth vulnerability led to further exploitation in the installation of a backdoor, which allowed the researchers to reflash this UConn board,
[19:20.120 --> 19:26.800]  which, by the way, didn't have any checks on the software that was pushed to it for updating it, which is an entirely separate problem.
[19:26.800 --> 19:34.120]  But we're then able to pivot from there onto both the CAN buses, the dedicated CAN bus and the infotainment CAN bus.
[19:34.120 --> 19:44.200]  One of the lucky, I suppose, features of this entire scenario is that the CAN buses were pretty well segregated by this central gateway ECU.
[19:44.200 --> 19:53.420]  So despite having this foothold, it was a big deal that the vehicle's steering, braking and acceleration were actually not affected.
[19:53.420 --> 20:00.700]  I believe that is in part due to the central gateway in place and the fact that the different CAN buses were physically separated.
[20:01.800 --> 20:08.540]  But anyway, that's a good, you know, just a good point to keep in mind. I'm going to double check and make sure there are no points I missed.
[20:08.540 --> 20:15.820]  So, yeah, one of the things that they had to do the updating for was the ability to remove filters on arbitrary CAN message sending.
[20:15.820 --> 20:24.140]  So that's the update that they actually sent to the UConn board was the ability to, they added the ability to send arbitrary CAN messages.
[20:24.500 --> 20:29.340]  The full technical report isn't out, but it's hopefully scheduled to be released in 2021.
[20:29.820 --> 20:34.700]  And it really, you know, anybody can say how well the rest of 2020 is going to go.
[20:35.080 --> 20:40.900]  But anyway, we have now time for a live demo.
[20:40.900 --> 20:46.180]  Right. So this is going to be a quick demo showing how to get started with Bluetooth in a Linux environment.
[20:46.720 --> 20:50.440]  As always, when it comes to live demos, you know, something always goes wrong.
[20:50.440 --> 20:57.560]  I actually have a automotive head unit that I was hoping to show a live interaction with it through Bluetooth.
[20:57.560 --> 21:01.840]  But unfortunately, today it decided it didn't want to stay on.
[21:01.840 --> 21:04.980]  So I'm going to be actually just showing how those Bluetooth tools work.
[21:04.980 --> 21:12.520]  But I'm going to be using my cell phone as the target for analysis instead.
[21:12.520 --> 21:17.140]  So I will switch over to my virtual machine and we'll head right back into the recording.
[21:18.400 --> 21:22.760]  OK, so let me increase the font size here.
[21:23.200 --> 21:25.700]  How's that look? A little bit bigger.
[21:26.320 --> 21:34.940]  OK, so for any of you wondering, I'm running a stock Kali Linux distribution on this virtual machine right on my Windows desktop.
[21:35.360 --> 21:40.400]  I don't have anything incredibly interesting installed from a Bluetooth perspective.
[21:40.400 --> 21:47.220]  So all of the tools I'm going to be showing are actually available in Kali Linux, you know, as you know, fresh upon installation.
[21:47.220 --> 21:50.960]  Right. So there's no there's no fancy software. It's no secret hardware I'm using.
[21:50.960 --> 21:54.460]  I'm just using the Bluetooth chip inside my computer.
[21:54.460 --> 22:02.180]  I want to give a disclaimer that sometimes things get a little bit strange if you use Bluetooth through a virtual machine.
[22:02.180 --> 22:11.720]  The reason is because your virtual machine and the actual hardware and your actual host machine are sharing the same hardware, right?
[22:11.720 --> 22:19.600]  The same Bluetooth hardware. So if I start connecting to something with my virtual machine, it will sometimes confuse the host machine.
[22:19.600 --> 22:28.340]  And that's, you know, it's a little bit of an annoyance. But for the sake of today's educational demonstration, I think we can we can live with that.
[22:28.340 --> 22:36.700]  Right. So the first thing I need to say, of course, a disclaimer that we're not I'm not going to be showing any, you know, vulnerabilities or exploits,
[22:36.700 --> 22:43.580]  you know, that could lead to compromise of any systems. Right. I'm just going to be showing some basic surveillance tools and showing
[22:44.340 --> 22:50.580]  what you can find very easily with the proper knowledge, with some, you know, open source software.
[22:50.580 --> 22:57.600]  I'm not talking about anything incredibly expensive, you know, you know how it is. But, you know, it's important that we understand, you know,
[22:57.600 --> 23:03.960]  the whole purpose behind all of this is that we understand what security risks might be present in the vehicles we operate.
[23:03.960 --> 23:10.100]  You know, the other devices running Bluetooth, any privacy concerns that might be, you know, unaddressed otherwise. Right.
[23:10.100 --> 23:18.780]  We don't learn these things in order to harm people. We use these techniques to arm ourselves with the appropriate knowledge to protect ourselves
[23:18.780 --> 23:27.340]  from those who may do us harm or may mean us harm. Right. Anyway, so now that that's out of the way, let's get to the actual interesting stuff.
[23:27.340 --> 23:36.360]  So the first thing I have to do is pseudo service Bluetooth start. Right. Put in my password and let that work. Right.
[23:36.360 --> 23:45.080]  So a lot of times, I don't know why this is, but the Bluetooth service will actually be disabled by default. Right.
[23:45.080 --> 23:50.180]  When you start up your device, you can actually change that in your settings so that it turns on by default.
[23:50.180 --> 23:58.420]  But whether or not you want to do that is up to you. But in any case, the next thing we're going to do is check what Bluetooth controllers are available
[23:58.420 --> 24:07.260]  on our machine. So that's done in Linux with hci-config. Right. That's host control interface configuration.
[24:07.400 --> 24:13.620]  So this now here shows all of the devices I have, all the Bluetooth devices. I have just one right now.
[24:13.620 --> 24:23.860]  I have my internal, you know, my laptop's Bluetooth chip. Right. Primary bus is USB. Depending on how your computer is built,
[24:23.860 --> 24:29.640]  this might actually be something different like I2C. Right. So on and so forth. But the way mine is, is set up to be USB.
[24:29.640 --> 24:37.620]  You can see the Bluetooth address of that Bluetooth chip. Right. Mine is currently up and it's running a PSCAN right now.
[24:37.680 --> 24:45.840]  You can see a lot more information if you say pseudo hci-config-a. Right. We can see a little bit more now. Right.
[24:45.840 --> 24:51.440]  So we see the same information as before. We have the Bluetooth address. We have the status. You know, it's up and it's running.
[24:51.440 --> 24:59.440]  We see I haven't really sent very much, so I don't have any errors. You know, nothing incredibly special is happening here.
[24:59.620 --> 25:07.240]  And most of this information isn't incredibly useful. Right. Like off, you know, off the bat, it's not incredibly useful.
[25:07.240 --> 25:14.200]  I'll be perfectly honest. Right. But there are a couple of interesting things here. For example, the name. Right. Name is Kali.
[25:14.200 --> 25:25.860]  This is how my device appears when I go into discoverable mode and another device kind of scans me or finds my device through its scan for Bluetooth devices,
[25:25.860 --> 25:33.280]  because that's how Bluetooth devices find one another is they do a scan and any device that's discoverable in your area, you'll be able to pick up on it.
[25:33.280 --> 25:41.100]  Right. I'll be showing that in just a quick second. So more than that, there is this class object here. Right.
[25:41.100 --> 25:52.500]  So the class in this scenario is talking about the class of device. This, you know, this one, two, three, four, five, six, this three byte number or, you know,
[25:52.500 --> 26:01.840]  hexadecimal number is actually used to identify what type of device belongs to this or this Bluetooth chip belongs to.
[26:01.840 --> 26:10.480]  So the class will identify your device as a phone, as a laptop, as a desktop, as a pair of headphones, so on and so forth.
[26:10.480 --> 26:20.740]  Sometimes this is a big deal, right, because if you think about a car, most cars aren't designed with the expectation that they'll connect to a laptop over Bluetooth.
[26:20.740 --> 26:34.620]  It's not like the most outlandish thing to think in the world, but a lot of cars will actually refuse Bluetooth connections from devices that have their class identifying them as, you know, a laptop or a desktop computer.
[26:34.620 --> 26:45.940]  So depending on the actual type of Bluetooth chip you're using, you might be able to change the class of device that your device actually identifies as, right?
[26:45.940 --> 26:51.840]  So I don't believe I have the ability to do that with my internal laptop Bluetooth chip, right?
[26:51.840 --> 27:02.060]  This is entirely a metric of the Bluetooth chip installed inside of my laptop. I'm actually going to go ahead and give it a shot and see if I can change it, right?
[27:02.060 --> 27:13.260]  But the first thing I'll do is I'll show you guys, right, hci-config-hci0-class. This will give us a little bit more information about what my class is reporting, right?
[27:13.500 --> 27:30.200]  Currently my class is set to 0c0000. This is actually, I think, because I'm using a virtual machine, right? It's just labeled as miscellaneous. It doesn't have a actual, you know, real class of device because this is a virtual machine.
[27:30.200 --> 27:35.120]  But let's see if I can't change it, right? I'm actually doing this for the first time. I've never done this myself on this machine.
[27:35.120 --> 27:47.720]  But if I go for sudo hci-config-hci0-class and I enter the class ID I want to set it as 0x5a020c. I know that's for cell phone.
[27:48.720 --> 28:00.540]  Huh, let's see if that worked. Oh, there we go, right? So now I've successfully changed the class of device associated with my Bluetooth chip to that of a cell phone.
[28:00.540 --> 28:10.140]  So see the device class here now shows phone, smartphone. So you might be familiar with this, like when you're trying to pair your phone to your car, right?
[28:10.140 --> 28:19.940]  When you're searching for your car on your cell phone in the Bluetooth menu, it'll actually show like a little symbol next to each device, kind of giving you an idea of what kind of device that is, right?
[28:19.940 --> 28:26.740]  Is it a pair of headphones? Is it like, it'll show like a laptop, like a little, you know, clipart laptop if it's an actual computer, right?
[28:26.740 --> 28:36.220]  Or if it's another smartphone, it'll show a smartphone. So now when I scan or go discoverable with my laptop, it will display itself as though it was a smartphone, right?
[28:36.220 --> 28:46.000]  This is useful for spoofing if you want to copy someone else's device and try and do some research on intercepting a, you know, pairing request, for example.
[28:46.000 --> 28:52.200]  That's, you know, that's, you're getting very, very creative there at that point, right?
[28:52.200 --> 28:58.480]  But, you know, I'm glad this worked out. This gives me something to show for. But anyway, on with the demonstration, right?
[28:58.480 --> 29:08.860]  So the first, you know, in general, when you're doing a security test, the first thing you need to learn how to do is actually find what you're looking for, right?
[29:08.860 --> 29:22.620]  And so that means you need to scan. So HCI tool, scan. Let me, so because like I mentioned before, the actual device I'm using, the, or I wanted to use the extracted head unit currently isn't working.
[29:22.620 --> 29:27.740]  I'm going to actually turn Bluetooth on on my smartphone, and we're going to see if I can't find it by scanning.
[29:27.740 --> 29:38.080]  So HCI tool, scan, scanning, scanning. I'm currently discoverable, so it should pop up any minute now. If it doesn't, I'll have to think fast because, well, okay.
[29:38.080 --> 29:46.500]  Anyway, here we go. Okay, so this is my, these are my headphones, right? The name is in Japanese, so don't worry about it if you can't read it.
[29:46.500 --> 29:54.720]  But this here is my cell phone, right? It shows my cell phone's name, right? This is the name that my cell phone broadcasts itself as over Bluetooth.
[29:54.720 --> 30:01.640]  And this is my cell phone's Bluetooth address, right? I don't mind sharing this information. There's not a whole lot you can do with this.
[30:01.700 --> 30:13.100]  But there is a little bit more than you think that you can do with this, right? And I'll show off some of the features of what's actually contained inside a Bluetooth address in just a second.
[30:13.100 --> 30:29.800]  So this basic scan here gives us a very basic idea of what's around us. But if we say instead, this sudo hci-tool info, and then I copy this, right, and paste it into my command line,
[30:29.800 --> 30:41.140]  it's requesting information from my phone. And now we have this whole little dump here. This dump is great, right? This is really, like, the first thing you want to do when you're testing a Bluetooth device.
[30:41.140 --> 30:53.420]  And I'll show you why. The first thing it shows you is the OUI company, the Organizationally Unique Identifier company, Samsung Electronics, right?
[30:53.420 --> 31:02.540]  I've been exposed. I'm using a Samsung phone, right? So you can find out what kind of phone I'm using without ever looking at my phone just by scanning my Bluetooth address, right?
[31:02.540 --> 31:17.680]  The reason for this is because the first half of a Bluetooth ID is actually this OUI. It's the Organizationally Unique Identifier. This identifier identifies Samsung Electronics Corporation, right?
[31:17.680 --> 31:39.680]  You see that DC748? It's right there, right? So all Samsung Galaxy S8 Pluses, I assume, will have this same Bluetooth address. I don't know if there are, like, sub-classifications for this, but, for example, what I mean by that is if there are...
[31:39.680 --> 31:51.720]  How should I say? I don't know if there are, like, different, like, lots of different Samsung Electronics OUIs. Maybe there are. I don't know exactly, but, you know, it might be.
[31:51.720 --> 32:01.600]  But the point is, the point is, there's actually a website, you know, where you can go and look up, I believe, on the Bluetooth Special Interest Group's website, they have a OUI lookup tool.
[32:01.600 --> 32:16.000]  So you can find any OUI, right? If you find it, you know, just by war driving in the street or something, and you find a device, but it doesn't return here, you might be able to look it up on the website and find out what kind of device or what the manufacturer of that device was.
[32:16.820 --> 32:24.520]  More interestingly here, right, is the actual LMP version of that device. So the LMP is the Link Manager Protocol.
[32:24.960 --> 32:34.720]  This is showing the version of the Link Manager Protocol that I'm running, right? And this information might come in handy because, you know, obviously the more information you have on your target, the better.
[32:34.720 --> 32:50.140]  You have more vectors by which to search for vulnerabilities or other ways to compromise the device, so on and so forth. So this is always a good bit of information to have because this will also give you information on what actual version of Bluetooth that device is running.
[32:50.140 --> 33:11.500]  But going on, so here, the manufacturer tab here, this is usually a big deal. I want to see if I can't find another Bluetooth device. Let's actually scan this one instead because I think that Samsung decided to obfuscate this, so it's not actually showing what the manufacturer is.
[33:11.500 --> 33:35.960]  But that manufacturer field is actually supposed to show the chip manufacturer. Okay, so this one isn't showing up either. This could be because I'm doing this on a virtual machine. I don't know why this is not showing an actual, how should I say, an actual company's name.
[33:35.960 --> 33:58.080]  Normally this will show something like Broadcom or Cambridge, you know, like any of the actual chip manufacturers, their name will usually show up here. This is the first time I've seen the whole not assigned thing, but well, not everything can go right, right? I mean, we already lost the head unit I wanted to test on.
[33:58.080 --> 34:17.680]  But anyway, now that we're here, we scan my headphones, you can see they're Bose Corporation. So any company that's making Bluetooth devices will usually have their own OUI registered, and you can find that out through here. I'm still not sure why this isn't showing up, but normally it does. I promise, I'm not making that up.
[34:17.680 --> 34:41.340]  Let me try and add one more device onto my Bluetooth network and see if I can't scan it and introduce another test subject. So let's scan, scanning, scanning, scanning. I just turned on my Xbox controller, so let's see if I can't find this through the Bluetooth scanning here.
[34:41.340 --> 35:02.980]  Aha! Okay, so we have this new address. Let's copy that and let's come over here and paste it. Let's see if we get lucky this time. So once again, not assigned. I don't know what's going on here. I suspect it might be an issue with the virtual machine setup, but that's surprising in and of itself.
[35:02.980 --> 35:28.460]  Anyway, so I've kind of gone in a circle here, wasting some of your time. I apologize for that, but let's get on with the rest of the tools. So after scanning, I mentioned earlier that one of the protocols running on the host side of Bluetooth is the Service Discovery Protocol. So Service Discovery Protocol is the only connection-based protocol that doesn't require encryption.
[35:28.460 --> 35:54.260]  And this is because what Service Discovery does is it advertises what services, what functionalities this Bluetooth device has. If it's a car, it's got to have phone book access, it's going to have audio-visual control. Each of these is its own set of functionalities that's dictated by those services. We call those services.
[35:54.260 --> 36:16.080]  So the way you actually look at what services are available on a device, right, let's go back to my cell phone and copy this here. Copy that. So if we come back down here to the command line and we go sdptool, Service Discovery Protocol tool, browse. I just paste that. Let's see if we can't ask it for some information.
[36:16.080 --> 36:40.340]  So sometimes it will refuse it based on the device. Sometimes you have to be paired with the device before it will actually concede any information to you. This is, the embarrassing part about this is that I wish I could tell you that all of these tricks worked 100% of the time, the first time, every time. Sometimes that's not, that doesn't actually work. Sometimes you have to just try it more than once.
[36:40.340 --> 36:52.340]  Sometimes the device just doesn't want to talk to you unless you do a fully established connection, right? So it looks like my cell phone is being pretty stubborn today, but...
[36:57.020 --> 37:15.900]  Okay, I might have to come back to this after I try and connect to it. Okay, yeah, so it looks like it's not working. But anyway, we're going to skip over Service Discovery Protocol and we're going to look at another part of Bluetooth in Linux, right? This is the last main thing I'm going to be showing. This is Bluetooth CTL.
[37:15.900 --> 37:43.880]  Bluetooth CTL is short for Bluetooth Control. This is the agent that BlueZ, right? The Linux Bluetooth Protocol stack uses to manage connections and stuff. So when I enter this, you know, Bluetooth Control, I get this like special little different terminal here, right? It's like blue and I have my own separate set of commands, right? Each of these is its own talk in itself. So I can't really go too far into detail, but I'll show you all the important ones.
[37:43.880 --> 38:13.120]  So the first one you want to show or I'd like to show is list, right? List will show me all of my controllers and it will tell you which one is the default controller, right? So this is important because sometimes you'll have more than one controller on your system. For example, if your controller, the internal controller, Bluetooth controller on your system doesn't allow you to change the class, for example, a USB, you know, an external one might allow you to do that, right? So you might have two and then you need to select which one you want to use. So in my case, I'm going to say select...
[38:14.500 --> 38:22.100]  to a tab complete. Yeah, it's my only one. So it's kind of redundant to do that, but it's a good thing to know how to do, right?
[38:23.680 --> 38:35.360]  So devices, what did my devices show? So I have my, these are not my AirPods. These are one of my friend's AirPods, but they're there. And if I go remove, will that remove them? Yes, it will.
[38:35.360 --> 38:46.200]  So now I go back to devices. So now we're back to an empty list of devices, right? So devices is used to show all the, well, devices that you encountered, right?
[38:46.200 --> 38:57.300]  So let's see if there's a part of this help screen here. It doesn't actually show. No, it does. Yeah, it lists the available devices. So anything that you've scanned, anything that you know is in your vicinity, right?
[38:57.300 --> 39:04.360]  will appear in that devices list. I removed this because these aren't with me right now. So they're not actually around here.
[39:05.580 --> 39:16.560]  But let's go ahead and turn on the scanning feature of Bluetooth control. It's a little bit different from the HCI control, but set scan on and then see what shows up, right?
[39:16.560 --> 39:25.820]  So as before, we have my phone, right? It shows up as a new device, which is now populated in my devices tab. And from here, I can go ahead and connect to it.
[39:25.820 --> 39:37.320]  Oh, there are my headphones again. Let's turn this scan off now because I've got my target device, right? It's already shown up here. There's no need to keep poking around and exposing my neighbor's Bluetooth devices.
[39:38.140 --> 39:50.600]  But from here, we have a couple of more cool things we can try. We can say info DC, right? And see what we got. You know, through this interface here, we have a similar
[39:52.060 --> 40:03.940]  dump of information that we got when we use HCI tool info. But here we can actually see the class of my cell phone, right? So it's showing that this is class 005A020C, right?
[40:03.940 --> 40:14.460]  This is the same one that I changed my internal computer to. But it shows like, you know, it shows what the class of the opposing device is, which might be useful information.
[40:14.460 --> 40:24.300]  And you know, icon is going to be a phone, not paired, not trusted, so on and so forth. And it does support legacy pairing, right? This might be a piece of information that you're interested in, right?
[40:24.300 --> 40:33.140]  Depending on what you're looking for. So let's go ahead and actually try and pair with my phone. Let me just unlock this thing and get to the pairing process.
[40:33.140 --> 40:45.360]  So if I say pair dc, tell me to pair with this. Okay, it says connected. Yes, so I have a connection. Okay, I have a added device. I'm going to hit OK on my phone.
[40:46.400 --> 40:55.720]  Because I'm doing this in a virtual machine, this might not work as I hope it will, but it's something, right? Okay, so now I have shows Allendite here saying I'm connected to it.
[40:55.720 --> 41:16.400]  I'm going to actually open a new tab and say SDP tool, browse this and see if this time we get a response from it. Hopefully this will work. If it doesn't, I'll have to include like a post recording, like screenshot of what the output of this tool looks like, but I'd like to be able to show it live if possible.
[41:20.520 --> 41:23.860]  Yeah, I knew doing this on a virtual machine was a mistake.
[41:27.060 --> 41:38.840]  Let's try this in sudo. I don't know if it got stalled somewhere before reaching the actual communication part because it's not showing the requesting information part that it was last time.
[41:40.740 --> 41:52.240]  In my experience doing Bluetooth, a lot of times things just don't work. That's the second time, right? Like they just don't.
[41:52.640 --> 42:01.740]  So as embarrassing as that is to admit, this is a genuine part of working with these tools, right?
[42:01.740 --> 42:06.040]  So here, if I come here and I say paired devices.
[42:06.740 --> 42:09.000]  Okay, so this didn't work.
[42:09.800 --> 42:12.500]  Let's try pairing to it again.
[42:12.900 --> 42:15.760]  Failed to pair in progress.
[42:15.760 --> 42:18.160]  Hold on a second, failed to connect.
[42:18.160 --> 42:19.460]  Operation now in progress.
[42:19.460 --> 42:21.660]  Okay, everything is going wrong right now.
[42:21.660 --> 42:23.940]  Okay, remove DC.
[42:24.120 --> 42:26.360]  Okay, authentication canceled.
[42:26.360 --> 42:28.300]  Okay, we have removed it.
[42:28.300 --> 42:30.120]  No longer my devices.
[42:30.740 --> 42:34.080]  Okay, so let's try this again from the top, right?
[42:35.160 --> 42:39.760]  No matter what the demo shows you, this is what working with Bluetooth is actually like, right?
[42:39.760 --> 42:41.960]  Sometimes it's just a real pain to deal with.
[42:41.960 --> 42:43.340]  So we found it again.
[42:43.340 --> 42:44.280]  Here it is.
[42:44.280 --> 42:45.600]  I'm going to copy that.
[42:45.600 --> 42:48.280]  I'm going to say pair this device.
[42:48.280 --> 42:49.240]  Something to pair.
[42:49.240 --> 42:50.080]  Yes.
[42:50.620 --> 42:51.420]  Okay.
[42:52.720 --> 42:53.200]  And...
[42:55.300 --> 43:01.440]  So they're connected, but my phone is no longer receiving the request to pair, right?
[43:02.560 --> 43:06.600]  You saw earlier how when I asked it to pair,
[43:07.240 --> 43:10.840]  this was a Windows notification that showed up saying, like,
[43:10.840 --> 43:12.740]  click here to set up your Bluetooth device.
[43:12.740 --> 43:15.080]  That's because I'm running a virtual machine.
[43:15.180 --> 43:18.120]  The host OS actually kind of grabs that connection
[43:18.120 --> 43:21.340]  and is like, what would you like me to do with this, right?
[43:21.340 --> 43:26.520]  So I think that I'm going to have to call it here for the Bluetooth demonstrations
[43:26.520 --> 43:29.760]  just because of the limitations of my hardware right now.
[43:29.920 --> 43:36.240]  Because I don't have an actual Linux machine that I can run this on bare metal, unfortunately.
[43:36.460 --> 43:41.660]  But anyway, hopefully, you know, despite all of the hiccups I ran into along the way,
[43:41.660 --> 43:44.440]  you were able to learn something about Bluetooth hands-on.
[43:44.440 --> 43:46.160]  I'm going to switch back over to the PowerPoint
[43:46.160 --> 43:49.740]  and just give you guys some resources to try out
[43:49.740 --> 43:55.680]  and just some closing remarks before ending this talk.
[43:55.680 --> 43:58.080]  So let's go over there real quick.
[44:02.160 --> 44:05.840]  All right, we're back in the PowerPoint.
[44:05.960 --> 44:09.620]  And the last thing I want to go over is a couple of tools
[44:09.620 --> 44:12.460]  that I would suggest looking into for anyone who's new to Bluetooth
[44:12.460 --> 44:16.480]  and wants to, you know, get into Bluetooth research, right?
[44:16.480 --> 44:18.220]  This is a great time to be getting into it.
[44:18.220 --> 44:21.540]  I'll point out why I feel that way in just a second.
[44:21.540 --> 44:26.840]  But here listed on the screen are a couple of resources that I found very helpful in the past
[44:26.840 --> 44:33.200]  and I think that are very relevant for modern day Bluetooth, you know, understanding, right?
[44:33.200 --> 44:35.160]  So pull out the laser pointer.
[44:35.320 --> 44:40.940]  So first and foremost, BlueZ, the Linux Bluetooth stack.
[44:40.940 --> 44:44.440]  There are APIs available for both Python and C.
[44:44.440 --> 44:48.160]  There is a guide online that I have linked in the next slide.
[44:48.160 --> 44:52.040]  It's kind of old. Okay, it's not kind of old. It's really old.
[44:52.220 --> 44:56.040]  But it still does a decently good job of explaining how to get started
[44:56.040 --> 44:58.860]  writing your own very basic Bluetooth programs
[44:58.860 --> 45:02.620]  and just running through that little... it's a pretty short textbook,
[45:02.620 --> 45:07.080]  but running through it is a good way to just get more familiar with how Bluetooth works,
[45:07.080 --> 45:10.920]  what the different components are, what kind of access to Bluetooth you have
[45:10.920 --> 45:13.340]  through BlueZ on your Linux system.
[45:13.340 --> 45:15.340]  I definitely recommend reading that book.
[45:15.440 --> 45:17.400]  Like I said, it's linked in the next slide.
[45:18.020 --> 45:22.060]  Bluetooth Stack Smasher, this is a fun little tool that was made a long time ago.
[45:22.060 --> 45:27.280]  It's not likely going to get you an awesome Pwn of a head unit, right?
[45:27.280 --> 45:31.640]  But it's essentially an L2 cap layer packet fuzzer, right?
[45:31.640 --> 45:36.620]  It will just blast random data, the L2 cap layer at a given Bluetooth address of your choice.
[45:36.620 --> 45:42.660]  It's very, very simplistic, but it has the ability to...
[45:42.660 --> 45:49.860]  you can actually customize the frame, the data that it sends out to the target device.
[45:49.860 --> 45:54.800]  So I've used it before with varying degrees of success,
[45:54.800 --> 45:57.480]  but it is good to know that it exists.
[45:57.480 --> 46:03.320]  It's about as good an over-the-air Bluetooth fuzzer as you can get.
[46:03.960 --> 46:06.420]  SpoofTooth, this is another quite old one.
[46:06.420 --> 46:12.420]  This was a project made for the express purpose of spoofing nearby Bluetooth devices.
[46:12.420 --> 46:15.920]  So it makes it a lot easier to do what I was showing,
[46:15.920 --> 46:18.560]  like with changing your class to copy a device.
[46:18.560 --> 46:23.880]  And you can change your Bluetooth address too, if your Bluetooth chip allows that, of course.
[46:23.900 --> 46:29.900]  So SpoofTooth kind of simplifies that process, of course, based on the allowances of your hardware.
[46:29.900 --> 46:32.940]  And then InternalBlue, this is really a big deal.
[46:32.940 --> 46:39.140]  I think that the lab doing this research here, this is the Simo lab somewhere.
[46:39.140 --> 46:42.680]  I don't remember the country they're based out of, but it's somewhere in Europe.
[46:42.680 --> 46:48.680]  And they are the ones who have really kick-started a lot of the recent Bluetooth research.
[46:48.680 --> 46:52.080]  So I mentioned before the knob attack, right?
[46:52.080 --> 46:55.360]  The key negotiation issue that was part of the Bluetooth protocol.
[46:55.360 --> 47:02.780]  That was discovered because the researchers who found that were using this, this InternalBlue.
[47:02.780 --> 47:13.840]  This is a framework for re-flashing Broadcom Bluetooth chips and essentially using them as very flexible Bluetooth adapters.
[47:13.840 --> 47:19.780]  I won't go into too much detail because I'll be honest, I'm not really qualified to talk about it.
[47:19.780 --> 47:25.200]  I don't want to say anything incorrect and have you all assume that I'm qualified at that level.
[47:25.560 --> 47:27.300]  But it's really, really great.
[47:27.300 --> 47:29.540]  You know, they have a lot of talks published.
[47:30.300 --> 47:35.860]  I believe they published a couple more recently that I still have to watch.
[47:35.860 --> 47:43.000]  But just going to their GitHub page will give you access to all of their papers and, you know, recorded presentations, so on and so forth.
[47:43.000 --> 47:48.140]  And I think everyone interested in Bluetooth could definitely benefit from checking them out, right?
[47:48.420 --> 47:53.060]  So speaking of the references page, this is my references page.
[47:53.180 --> 47:58.500]  The Introduction to Bluetooth Programming is the blue Z one that I talked about before.
[47:58.500 --> 48:03.340]  The internal blue GitHub, definitely a great resource for anyone.
[48:03.340 --> 48:08.380]  Like I mentioned, the Knob Attack. This is if you wanted to read more about the Knob Attack or Blueborn, right?
[48:08.380 --> 48:16.480]  These are the two vulnerabilities that I talked about to some degree of depth in this presentation.
[48:16.740 --> 48:24.540]  And lastly, but not least, this is the link to Bluetooth Stack Smasher, the tool that I mentioned before for L2 cap fuzzing.
[48:24.540 --> 48:28.520]  So hopefully you find any of these useful. Hopefully you learned something.
[48:28.580 --> 48:33.240]  Hopefully this will help you out, maybe in the CTF for our virtual car hacking village.
[48:33.880 --> 48:37.440]  And if you have any questions, of course, I'm always open to be emailed, right?
[48:37.440 --> 48:40.580]  Just send me an email at kamel.ghali at white motion dot com.
[48:40.580 --> 48:47.600]  I'm happy to provide you with these slides or any other resources if they're something that I own and I'm free to share.
[48:47.600 --> 48:54.860]  But hopefully you have a great DEF CON and yeah, on to the next Car Hacking 101.
